diff --git a/hosts/mail/modules/dovecot.nix b/hosts/mail/modules/dovecot.nix
index b7f25bd..9a47590 100644
--- a/hosts/mail/modules/dovecot.nix
+++ b/hosts/mail/modules/dovecot.nix
@@ -189,15 +189,10 @@ in
         managesieve_logout_format = bytes ( in=%i : out=%o )
       }
 
-      lda_original_recipient_header = X-Original-To
-
       plugin {
         sieve_dir = /var/vmail/%d/%n/sieve/scripts/
         sieve = /var/vmail/%d/%n/sieve/active-script.sieve
-        sieve_extensions = +vacation +vacation-seconds +editheader
-        sieve_vacation_use_original_recipient = yes
-        sieve_vacation_dont_check_recipient = yes
-        sieve_vacation_database = file:/var/vmail/%d/%n/sieve/vacation.db;
+        sieve_extensions = +vacation-seconds +editheader
         sieve_vacation_min_period = 1min
 
         fts = lucene
diff --git a/hosts/mail/modules/openldap.nix b/hosts/mail/modules/openldap.nix
index 81e63e1..be00dea 100644
--- a/hosts/mail/modules/openldap.nix
+++ b/hosts/mail/modules/openldap.nix
@@ -111,6 +111,52 @@ in {
         ];
       };
 
+      "olcDatabase={3}mdb".attrs = {
+        objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
+
+        olcDatabase = "{3}mdb";
+        olcDbDirectory = "/var/lib/openldap/data";
+
+        olcSuffix = "dc=ghetto,dc=at";
+
+        olcAccess = [
+          ''
+            {0}to attrs=userPassword
+              by self write
+              by anonymous auth
+              by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * none
+          ''
+          ''
+            {1}to attrs=pgpPublicKey
+              by self write
+              by anonymous read
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * read
+          ''
+          ''
+            {2}to *
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * read
+          ''
+        ];
+      };
+      "olcOverlay=memberof,olcDatabase={3}mdb".attrs = {
+        objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
+        olcOverlay = "memberof";
+        olcMemberOfRefint = "TRUE";
+      };
+      "olcOverlay=ppolicy,olcDatabase={3}mdb".attrs = {
+        objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
+        olcOverlay = "ppolicy";
+        olcPPolicyHashCleartext = "TRUE";
+      };
+
       "olcDatabase={4}mdb".attrs = {
         objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
 
diff --git a/hosts/nb/modules/desktop/default.nix b/hosts/nb/modules/desktop/default.nix
index 0605a20..647f850 100644
--- a/hosts/nb/modules/desktop/default.nix
+++ b/hosts/nb/modules/desktop/default.nix
@@ -38,7 +38,6 @@ in {
     })
 
     vscode
-    code-cursor
 
 
     dracula-theme
diff --git a/hosts/nb/users/dominik.nix b/hosts/nb/users/dominik.nix
index 5fd5927..5972806 100644
--- a/hosts/nb/users/dominik.nix
+++ b/hosts/nb/users/dominik.nix
@@ -179,6 +179,38 @@ in
       '';
     };
 
+    /* Here goes the rest of your home-manager config, e.g. home.packages = [ pkgs.foo ]; */
+    # home.persistence."/nix/persist/user/dominik" = {
+    #   allowOther = true;
+    #   directories = [
+    #     ".ApacheDirectoryStudio"
+    #     ".config/Creality"
+    #     ".config/github-copilot"
+    #     ".config/libreoffice"
+    #     ".config/Nextcloud"
+    #     ".config/OrcaSlicer"
+    #     ".config/rustdesk"
+    #     ".config/rustdesk-epicenter"
+    #     ".config/Signal"
+    #     ".config/Signal-work"
+    #     ".config/sops"
+    #     ".config/VirtualBox"
+    #     ".local/share/keyrings"
+    #     ".local/share/Steam"
+    #     ".mozilla"
+    #     ".ssh"
+    #     ".thunderbird"
+    #     ".var"
+    #     "cloud.cloonar.com"
+    #     "nextcloud.cloonar.com"
+    #     "cloud.epicenter.works"
+    #     "OpenAudible"
+    #     "VirtualBox VMs"
+    #     "projects"
+    #     "go"
+    #   ];
+    # };
+
     gtk = {
       enable = true;
       gtk2.extraConfig = ''
diff --git a/hosts/web-arm/configuration.nix b/hosts/web-arm/configuration.nix
index 5a058ec..b8f9db4 100644
--- a/hosts/web-arm/configuration.nix
+++ b/hosts/web-arm/configuration.nix
@@ -35,7 +35,6 @@
 
     ./sites/autoconfig.cloonar.com.nix
     ./sites/feeds.cloonar.com.nix
-    ./sites/webmail.cloonar.com.nix
 
     ./sites/vcard.cloonar.dev.nix
     ./sites/vcard.cloonar.com.nix
diff --git a/hosts/web-arm/modules/blackbox-exporter.nix b/hosts/web-arm/modules/blackbox-exporter.nix
index a9ded44..27f265a 100644
--- a/hosts/web-arm/modules/blackbox-exporter.nix
+++ b/hosts/web-arm/modules/blackbox-exporter.nix
@@ -7,9 +7,7 @@ let
 
   cfg = config.services.blackbox-exporter;
   nginxVHosts = config.services.nginx.virtualHosts or {};
-  allDomains = (lib.attrNames nginxVHosts) ++ [
-    "foundry-vtt.cloonar.com"
-  ];
+  allDomains = lib.attrNames nginxVHosts;
   filteredDomains = builtins.filter (d: !builtins.elem d cfg.blacklistDomains) allDomains;
   httpsDomains = lib.map (d: "https://${d}") filteredDomains;
   domainsString = builtins.concatStringsSep "\n          "
@@ -47,16 +45,8 @@ in {
     # Configuration file for Blackbox Exporter
     environment.etc."blackbox_exporter/blackbox.yml".text = ''
       modules:
-        http_200_final:
+        http_2xx:
           prober: http
-          http:
-            method: GET
-            follow_redirects: true
-            preferred_ip_protocol: "ip4"   # <-- important: avoid blanket IPv6 failures
-            # optional: if you want to prefer v6 but fall back to v4, add:
-            # ip_protocol_fallback: true
-            valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]  # tidy, not required but nice
-            valid_status_codes: [200]
     '';
 
     # Add scrape config for VictoriaMetrics agent
@@ -65,7 +55,7 @@ in {
         - job_name: "blackbox_http_all_domains"
           metrics_path: "/probe"
           params:
-            module: ["http_200_final"]
+            module: ["http_2xx"]
 
           static_configs:
             - targets:
diff --git a/hosts/web-arm/modules/grafana/alerting/websites/default.nix b/hosts/web-arm/modules/grafana/alerting/websites/default.nix
index 7e65cf2..b6139f6 100644
--- a/hosts/web-arm/modules/grafana/alerting/websites/default.nix
+++ b/hosts/web-arm/modules/grafana/alerting/websites/default.nix
@@ -3,10 +3,7 @@
 let
   cfg = config.services.blackbox-exporter;
   nginxVHosts = config.services.nginx.virtualHosts or {};
-  allDomains =
-    (lib.attrNames nginxVHosts) ++ [
-      "foundry-vtt.cloonar.com"
-    ];
+  allDomains = lib.attrNames nginxVHosts;
   filteredDomains = builtins.filter (d: !builtins.elem d cfg.blacklistDomains) allDomains;
   httpsDomains = lib.map (d: "https://${d}") filteredDomains;
   websiteAlertRules = lib.map (target:
diff --git a/hosts/web-arm/sites/webmail.cloonar.com.nix b/hosts/web-arm/sites/webmail.cloonar.com.nix
deleted file mode 100644
index bae375b..0000000
--- a/hosts/web-arm/sites/webmail.cloonar.com.nix
+++ /dev/null
@@ -1,78 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  domain = config.networking.domain;
-  roundcubeRoot = "${config.services.roundcube.package}/public_html";
-  # PHP-FPM socket created by the roundcube module (pool named "roundcube"):
-  fpmSocket = config.services.phpfpm.pools.roundcube.socket;
-in
-{
-  # DB for Roundcube (PostgreSQL shown; MariaDB works too)
-  services.postgresql = {
-    enable = true;
-    ensureDatabases = [ "roundcube" ];
-    ensureUsers = [
-      { name = "roundcube"; ensureDBOwnership = true; }
-    ];
-  };
-
-  services.roundcube = {
-    enable = true;
-    configureNginx = false;        # <-- you’ll provide your own vhost
-    plugins = [ "managesieve" "archive" "zipdownload" ];
-    database = {
-      host = "localhost";
-      dbname = "roundcube";
-      username = "roundcube";
-    };
-
-    extraConfig = ''
-      // IMAP & SMTP
-      $config['imap_host'] = 'ssl://imap.${domain}:993';
-      $config['smtp_host'] = 'tls://mail.${domain}:587';
-      $config['smtp_user'] = '%u';
-      $config['smtp_pass'] = '%p';
-
-      // ManageSieve (filters + vacation)
-      $config['managesieve_host'] = 'tls://imap.${domain}:4190';
-    '';
-  };
-
-  services.nginx = {
-    enable = true;
-
-    virtualHosts."webmail.${domain}" = {
-      forceSSL = true;
-      enableACME = true;
-      root = roundcubeRoot;
-
-      extraConfig = ''
-        client_max_body_size 50m;
-      '';
-
-      locations = {
-        # Serve static assets directly
-        "~* ^/(favicon\\.ico|robots\\.txt|browserconfig\\.xml)$".tryFiles = "$uri =404";
-        "~* ^/(assets|installer|public|skins|plugins)/" = {
-          tryFiles = "$uri =404";
-        };
-
-        # PHP entry points
-        "~ \\.php$" = {
-          extraConfig = ''
-            include ${pkgs.nginx}/conf/fastcgi_params;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param HTTPS on;
-            fastcgi_pass unix:${fpmSocket};
-            fastcgi_buffers 16 16k;
-            fastcgi_buffer_size 32k;
-          '';
-        };
-
-        # Default: let Roundcube handle routing
-        "/" = {
-          tryFiles = "$uri /index.php?$query_string";
-        };
-      };
-    };
-  };
-}